Schwab, TD Ameritrade Hit With Class-Action Suit Over MOVEit Hack

What You Need to Know

Plaintiff David Schultz says Schwab and TD Ameritrade waited nine weeks before telling their 61,000 affected customers about the hack.
Schultz was told to spend time mitigating his losses and get two years of identity theft protection.
Schwab and TD Ameritrade have not revealed most of the findings of the investigation it commissioned about the hack, the suit says.

Charles Schwab and TD Ameritrade are the latest firms to be sued for a data breach related to the ongoing cyberattack exploiting the MOVEit file-transfer software.

The suit, filed Wednesday by David Schultz in the U.S. District Court for the District of Nebraska, states that Schwab and TD waited nine weeks before telling Schultz, along with approximately 61,000 Schwab customers, that the hack had occurred.

The attack this year on the MOVEit file transfer system was orchestrated by the Cl0P ransomware gang. At least 734 organizations have reported MOVEit-related breaches, according to KonBriefing Research. Those reports have affected at least about 43 million people.

The class-action suit against Schwab and TD comes as there’s less than two weeks to go before TD Ameritrade advisors and their clients’ accounts are scheduled to move to the Charles Schwab platform.

Schwab, TDA Suit Details

According to the complaint against Schwab and TD Ameritrade, Schultz received a Notice of Data Breach letter dated Aug. 3, on or about Aug. 22 from TD Ameritrade Client Services.

The letter notified Schultz that on May 30, 2023, Schwab and TD “became aware of an alert issued by Progress Software — the company responsible for the MOVEit file transfer program.”

The letter, according to the complaint, notified Schultz that after an investigation, Schwab and TD ”discovered unauthorized access to their customers’ personal information which includes, but is not limited to Plaintiff’s name, Social Security Number, financial account information, date of birth, government identification numbers, and other personal identifiers.”

Schultz was further advised that “he should spend time mitigating his losses by taking steps to help safeguard his information, including following recommendations by the Federal Trade Commission regarding identity theft protection and placing a fraud alert or security freeze on his credit file,” the complaint states.